Security and data flow

Your logs never leave your environment.

Dectyl connects with a read-only, least-privilege token and queries in place. Only aggregates, rule metadata, and readiness verdicts cross the boundary. No agents. No log ingestion. No writes. No attacks or simulations. This page shows exactly what crosses and what never does.

read-only · least privilegeno agentsno log ingestionno writesno attacks or simulationslive in days
Your environment · trust boundary · raw data stays here
SIEM / EDR data planesSplunk · Sentinel · Chronicle · Elastic · CrowdStrike. Raw logs, events, telemetry, and your detections live here and stay here.
Read-only, least-privilege tokenNo write scopes, no response actions, no attack scopes. Stored in a secrets manager, rotated.
Dectyl query layerAggregate and metadata queries only: counts, field-population ratios, rule definitions, run and alert history. It checks that the telemetry each detection depends on is flowing and parsing. It never reads the data itself.
aggregates + readiness
verdicts only · TLS
raw logs · event contents · PII
never cross
Dectyl
Verification engineComputes can-fire verdicts from aggregates.
StoreVerdicts, scores, rule metadata. Encrypted at rest.
ReportsReadiness and board-ready reports.

Most of the system lives in your environment. Dectyl receives only what a spreadsheet could hold: counts, ratios, rule metadata, and scores.

The boundary

What crosses, and what never does.

Crosses the boundary
  • Aggregate counts and ratios, e.g. "field populated in 0% of last-hour events"
  • Rule definitions and metadata: already your detection logic, not your data
  • Rule execution and alert history metadata: ran, succeeded, count
  • Computed readiness verdicts and scores
Never crosses
  • Raw log records and event contents
  • Log payloads and message bodies
  • PII, PHI, or sensitive field values
  • Full search results or event samples
The one honest edge case

A small subset of checks, like search-time field extractions an aggregate query cannot see, needs a bounded raw sample. In those cases the sample is reduced to a field-presence result inside your environment before anything egresses. Event contents still never leave.

For the strictest environments we offer an in-environment collector variant: a customer-controlled container runs the queries and computes verdicts inside your boundary, and only verdicts and scores ever leave.

Least privilege

Per-platform read-only scopes.

Exactly what the token asks for, and what it never asks for. Lift this straight into your security questionnaire.

PlatformRead-only scope requestedNever requested
Splunksearch · rest_properties_get, restricted indexesedit_* · can_delete · run_collect
Sentinel / DefenderLog Analytics Reader · Sentinel Reader · Security Readerany write or contributor role
Chroniclechronicle.viewer · monitoring.viewerrule create · retrohunt
Elasticviewer · explicit read on .alerts-security.*any write privilege
CrowdStrikeper-scope READ OAuth clientswrite · RTR · attack scopes
Security properties

Built so the review is short.

Scoped token, managedRead-only, least-privilege. Stored in a secrets manager and rotated. No write, response, or attack scopes, ever.
Encrypted end to endTLS in transit. Verdicts and metadata encrypted at rest. Aggregates-only egress by design.
Human approval requiredNothing auto-deploys to your stack. Your team reviews, edits, and approves every change.
Fully auditableEvery query and change versioned and traceable. SIEM-agnostic, no lock-in.
Security review

Walk your security team through it.

We will go through scopes, egress, and the query layer with your team, and hand over everything the questionnaire needs.